In webconfig i mentioned the session timeout as 20 minutes
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" maxRequestLength="350000" enableVersionHeader="false"
maxQueryStringLength="3584" executionTimeout="600"/>
<sessionState mode="InProc" timeout="20"></sessionState>
<globalization culture="en-GB" />
</system.web>
but the website is getting logout before 20 minutes of idle time.
Any thing i am missing in the code?
Since session information is stored in-memory (mode="InProc"), if the application domain is restarted, all session information will be deleted. If you observe this locally while developing, every time you recompile your application, this will happen. And if you observe this behavior on your web server, it is also possible that IIS could recycle the application domain. For this reason you might need to consider some of the other session state modes like StateServer or SQLServer.
I have talked about ASP.NET Session so far. But there's also the authentication. Since you talked about users being logged-off it is possible that if you are using Forms Authentication, the cookie expires. This is controlled by the <authentication> tag in your config:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" protection="All" />
</authentication>
So you might check this timeout as well.
Bottom line: do not confuse ASP.NET Session with ASP.NET Forms Authentication.
Related
I have an asp.net mvc application and I have set up impersonation as follows in the web.config.
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
<authentication mode="Windows">
</authentication>
<identity impersonate="true" userName="BvhHisPharmaUser" password="12345"/>
<httpModules>
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
</httpModules>
</system.web>
As you can see I have enabled windows authentication mode.
Next you can see impersonate = true. And the userName(BvhHisPharmaUser) is a windows user that I created as follows using compmgmt.msc tool.
Now when I place a break point in Index Home
I dont see the imperonate user in the identity in the immediate window.
What am I missing?
Even after I login using the login screen, I do not see the impersonate user in the immediate window as follows.
I have removed the windows authentication mode in the web.config completely
and still observe exactly the same.
My objective is to run this iis web app under the above shown windows user(BvhHisPharmaUser) because this web app calls a wcf service which is configured to authorize this user.
So my questions are as follows.
Is impersonation is the way for this, so that the web application can run under this user? Is there any other way like app pool configuration?
Why is this impersonation not working? I have enabled it as showin in the web.config and still the identity of the thread principal does not change. What am I missing?
Kindly let me know if additional info is needed.
I'm developing an ASP.NET MVC application, and when I run it from VS, if I let the browser sit on a page for a short time like 45 seconds, and then try to take some action, the request never makes it to my controller. Everything functions as expected if I don't wait at all before making a navigation/request. This problem has existed for the life of the project.
The IIS Express logs do not show any requests when this happens; however, in debug mode, VS can see that the browser did make a request. No breakpoints inside of the ActionResult get hit though, so I know it isn't getting called. The browser's debug tools show the request sitting in the pending state forever. The website is still running though, IIS doesn't crash. I can open another browser and access the login page, however, the POST doesn't fire the controller action.
This happens on every machine and with every browser. I've scoured the web and couldn't find others with my problem. My webconfig and applicationHosts look like the default generated ones, except for some forms auth settings.
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="PreserveLoginUrl" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" requestValidationMode="2.0" />
<authentication mode="Forms">
<forms slidingExpiration="true" timeout="60" loginUrl="~/Account/LogIn" />
</authentication>
Turns out the issue was a loader lock being made by a thread that was dying (terminated?) before it could release the lock. This lock would block any threads handling HTTP requests. Application Insights appeared in the callstack for the problematic thread, and after disabling it, the problem no longer occurs.
I've an MVC5 project wherein modules are spread out across multiple web applications, deployed on a single IIS Server, single app pool.
Server: Windows 2008 R2 (SP1)
IIS: 7.5.7600.16385
Forms authentication is used and cross-application authentication is enabled by using common 'machineKey'
Problem
When using Internet Explorer 10/11 and do the steps below, cross-app authentication sharing no longer works.
1. Login and open another module
2. Signout
3. Login and open another module - !!gets redirected back to login page
This issue doesn't happen with Chrome and Firefox.
Config Sample
<system.web>
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
<machineKey validationKey="KEYXXX"
decryptionKey="KEYXXX"
validation="SHA1"
decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="/login/login.aspx" timeout="120" cookieless="AutoDetect" name=".ASPXFORMSAUTH" />
</authentication>
</system.web>
Signout Code
FormsAuthentication.SignOut();
HttpContext.Session.Remove(MvcConstants.userContextSessionKey);
Appreciate help on this.
I have 2 MVC 4 applications deployed on IIS 7.5. I would like to achieve a single sign on all of them. I have following web.config settings in both the applications -
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" enableCrossAppRedirects="true" path="/" name=".MVCAuthCookie" timeout="45" defaultUrl="/" slidingExpiration="false" protection="All" cookieless="UseCookies" />
</authentication>
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
<authorization>
<deny users="?" />
</authorization>
When I logged in in the first app and I browse second application in a separate tab, it still takes me to the login page for the second app. I can see in fiddler that the MVCAuthcookie is indeed getting passed with the get request for second application.
What am I missing here?
Turns out that I need to set compatibility mode for machinekey element to "Framework20SP2" as stated here - http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx which resolved the issue.
I have created an asp.net mvc web application, it's working fine on localhost but when I upload it, users will get logged out automatically while they are working.
I used:
FormsAuthentication.SetAuthCookie(dbuser.FName, false /* createPersistentCookie */);
and in Web.config:
<authentication mode="Forms">
<forms loginUrl="~/home/login" timeout="2880" />
</authentication>
I tried a lot of things but didn't find a solution. How can I prevent the auto logout from happening?
Ensure that where ever you are hosting it is hosting it as a single instance or handling the session state in an instance-independent manner - ASP.net does not automaically handle session transfers in web gardens or farms. The moment your client hits the other server, they will be logged out.
If you are hosting it on AppHarbor with two web workers for example, you will need to handle the state setup yourself.
Have you tried setting:
Session Timeout Value
<system.web>
<sessionState mode="InProc" timeout="20"/>
</system.web>
At last I have to change my whole coding converting into cookie base user module